Puppet Class: vulnerability

Defined in:
manifests/init.pp

Summary

The top-level class of the vulnerability module.

Overview

vulnerability::vulnerability

This class ensures that the correct version of [‘grype`](github.com/anchore/grype) is installed and configured and that on the specified interval your systems are scanned for vulnerabilities.

See the file “LICENSE” for the full license governing this code.

Parameters:

  • update (Boolean)

    Update the vulnerability database on every Puppet run. When you set this value to ‘true`, Puppet will check the vulnerability database on every run and update it when it detects a new version. Although setting it to true is the best setting security-wise, it can introduce dynamic changes to your Puppet run’s that you don’t want. When you want more controlled updates, set this value to false and make sure that the ‘vulnerability::update` class is scheduled in some other way. Even when you set this value to `false`, Puppet will do an update on the initial run where [`grype`](github.com/anchore/grype) is installed. This is required to at least have an initial vulnerability database.

  • guard (Boolean)

    When you set this value to ‘true`, Puppet start’s to guard the number of vulnerabilities on your system. Check the [‘::vulnerability::guard` class](./guard.html) for details. The default value is `false` meaning no automatic checks on the vulnerability status.

  • remediate (Boolean)

    When you set this value to ‘true`, Puppet will remediate the specfied CVE’s. See the [remediate class](../remediate) for details. The default value is ‘true` meaning no automatic checks on the vulnerability status.



26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
 
# File 'manifests/init.pp', line 26

class vulnerability (
  Boolean $guard,
  Boolean $remediate,
  Boolean $update
) {
  include stdlib
  contain vulnerability::install
  contain vulnerability::setup

  Class['vulnerability::install']
  -> Class['vulnerability::setup']

  if $update or $facts['grype_version'] == 'not-installed' {
    contain vulnerability::update

    Class['vulnerability::setup']
    -> Class['vulnerability::update']
  }
  if $guard {
    contain vulnerability::guard

    Class['vulnerability::update']
    -> Class['vulnerability::guard']
  }

  if $remediate {
    contain vulnerability::remediate

    Class['vulnerability::setup']
    -> Class['vulnerability::remediate']
  }
}